[
https://issues.apache.org/jira/browse/HIVE-1988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13012279#comment-13012279
]
Devaraj Das commented on HIVE-1988:
-----------------------------------
I updated the reviewboard https://reviews.apache.org/r/528/ with some changes.
The main change is: The methods getDelegationToken/renewDelegationToken now
check for the authentication method being KERBEROS. If not, then it refuses to
give a delegation token. This takes care of a security hole, where, if a
delegation token has been compromised, the malicious user in possession of the
token could use it to authenticate itself with the metastore, and get a new
delegation token. This process could go forever (and hence the malicious user
could access the metastore without ever going through a kerberos
authentication). Making the handing out of delegation tokens based on a prior
kerberos authentication limits this.
Also, the patch on reviewboard doesn't have generated code. I will upload it
once someone takes a look at the patch and gives feedback.
> Make the delegation token issued by the MetaStore owned by the right user
> -------------------------------------------------------------------------
>
> Key: HIVE-1988
> URL: https://issues.apache.org/jira/browse/HIVE-1988
> Project: Hive
> Issue Type: Bug
> Components: Metastore, Security, Server Infrastructure
> Affects Versions: 0.7.0
> Reporter: Devaraj Das
> Assignee: Devaraj Das
> Fix For: 0.8.0
>
> Attachments: hive-1988-3.patch, hive-1988.patch
>
>
> The 'owner' of any delegation token issued by the MetaStore is set to the
> requesting user. When a delegation token is asked by the user himself during
> a job submission, this is fine. However, in the case where the token is
> requested for by services (e.g., Oozie), on behalf of the user, the token's
> owner is set to the user the service is running as. Later on, when the token
> is used by a MapReduce task, the MetaStore treats the incoming request as
> coming from Oozie and does operations as Oozie. This means any new directory
> creations (e.g., create_table) on the hdfs by the MetaStore will end up with
> Oozie as the owner.
> Also, the MetaStore doesn't check whether a user asking for a token on behalf
> of some other user, is actually authorized to act on behalf of that other
> user. We should start using the ProxyUser authorization in the MetaStore
> (HADOOP-6510's APIs).
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
